If you are using the Microsoft-hosted Azure DevOps Build Agents, then you wont really have a reliable way to know what IP Address traffic from the Build Agent will originate from. This can be an issue when firewalls may be blocking the necessary traffic from your deployments to perform actions on your resources. Thankfully, the Microsoft-hosted Build Agents have Internet access, and you can use a service such as http://ipinfo.io/ip to retrieve the Public IP Address of the Build Agent.

NOTE: It’s worth noting that the best practice recommendation is to use your own Build Agents with Azure DevOps. This will enable you to have the best level of security for where your Azure Pipelines code will be running and the traffic originating on the Build Agents can easily be allowed through your firewall.

Here’s the simple bash script you can use to retrieve the Public IP Address of the Azure DevOps Build Agent (or really any other computer) that is running the script:

ipaddress=$(curl -s http://ipinfo.io/ip)

This example uses the http://ipinfo.io service to retrieve the Public IP Address of the computer running the script. You will want to verify that using this service meets the security standards you are required to adhere to within your organization before using this service. You may want to use a different service if that fits your security practices better.

To use this script in a pipeline task, you can assign the buildAgentIp value to a pipeline variable within your YAML pipeline so that it can be used in other tasks of your pipeline to setup firewalls, etc.

Below is an example YAML task that sets the IP Address value to a output variable from the task, so it can be referenced / used in later tasks:

- task: Bash@3
  name: BuildAgentIP
    targetType: 'inline'
    script: |
      ipaddress=$(curl -s http://ipinfo.io/ip)
      echo "##vso[task.setvariable variable=address;isOutput=true;]$ipaddress"

Once the Public IP Address of the Azure DevOps Build Agent is retrieved, this will be the Public IP Address for just this single execution of the DevOps Pipeline within the Build Agent. Any subsequent executions of the pipeline will execute on a different Build Agents, so the Public IP Address will be different.

The Public IP Address of the Build Agent that was retrieved can now be used by later tasks within the DevOps YAML Pipeline by referencing the output variable from this task.

Below is an example of referencing the Public IP Address to add it to the firewall for an Azure Key Vault resource, and then removing it from the Key Vaults Firewall as well:

- task: AzureCLI@2
    azureSubscription: <azure-subscription>
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      # Add IP to Key Vault Firewall
      az keyvault network-rule add --name <key-vault-name> --ip-address "$(BuildAgentIP.address)/32"

      # Do stuff against Key Vault here...

      # Remove IP from Key Vault Firewall
      az keyvault network-rule remove --name <key-vault-name> --ip-address "$(BuildAgentIP.address)/32"

When using the above example, be sure to replace the <azure-subscription> and <key-vault-name> placeholders with your Azure Subscription and resource information.

Happing Scripting!

Microsoft MVP

Chris Pietschmann is a Microsoft MVP, HashiCorp Ambassador, and Microsoft Certified Trainer (MCT) with 20+ years of experience designing and building Cloud & Enterprise systems. He has worked with companies of all sizes from startups to large enterprises. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive.
HashiCorp Ambassador Microsoft Certified Trainer (MCT) Microsoft Certified: Azure Solutions Architect